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On the 17th of June, 2010 "VirusBIokAda" company specialists (www.anti-virus.bv/en/) detected 
new malware modules. They have been added to the anti-virus bases as Trojan-Spy.0485 
( http://www.virustotal.com/ru/analisis/9c891edb5da763398969b6aaa86a5d46971bd28a455b20c20 

67cb512c9f9a0f8-12785841 77) and Malware-Cryptor.Win32.Inject.gen.2 

( http://www.virustotal.com/ru/analisis/d58c95a68ae3debf9eedb3497b086c9d9289bc5692b72931f3 

al 2c3041832628-127858411 5) . Files had names ~wtr4132.tmp (513536 bytes) and ~wtr4141.tmp 
(25720 bytes) accordingly. Functionality of this malware includes rootkit-technologies as well. 

Propagation method 

You should take into consideration that virus infects Operating System in unusual way (without 
usage of autorun.inf file) through vulnerability in processing Ink-files. 

So you just have to open infected USB storage device using Microsoft Explorer or any other file 
manager that can display icons (for example Total Commander) to infect your Operating System 
and allow execution of malware program. 


Below you can see screenshot of infected USB storage device in the file manager FAR (it doesn’t 
infect Operating System): 
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From the screenshot you can see that in the USB-device root there are 2 files with tmp extension 
(they are executable) and 4 files with Ink extension. The following screenshot presents one of the 
Ink-files content: 









Operating System Windows 7 Enterprise Edition x86 with all latest updates is vulnerable, that 
means malware uses vulnerability that still exists and hasn’t been closed in OS Windows. 

Process of system infection and hiding 

Process of system infection proceeds in the following way: 


1. Both files (mrxnet.sys and mrxcls.sys, one of them works as driver-filter of file system and 
the second one is injector of malicious code) are placed in the %SystemRoot%\System32\drivers 
directory. It is seen as follows in gmer anti-rootkit: 
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Analysis of current drivers showed that files have resources section where the following information 
is presented: 





















^ mix net .sys Properties 


General Digital Signatures Security 

Details 

Previous Versioi 






Property 

Value 




Description 





File description 

Windows NT NET Minirdr 



Type 

System file 




File version 

5.1.2™.2932 




Product name 

Microsoft 0 : Windows « Operating System 


Product version 

5.1.2600.2902 




1 Copyright 

? Microsoft Corporation. All rights reserv... [j 


Size 

16,9 KB 




Date modified 

21.06.2006 14:51 




Language 

English (United States) 



Original filename 

MRXNET.Sys 




Note that drivers are signed with digital signature of Realtek Semiconductor Corp. On the 24th of 
June, 2010 we sent a letter to Realtek Company containing the warning and description of current 
problem. However, the reply from Relatek Company still hasn’t been received. 
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General 


Digital Signatures 


Security 


Details 


Signature list 


Name of signer: E-mail address: 

Realtek Semicon... Not available 


Digital Signature Details 


General 


Advanced 


=_ Dig it a I Sig nature Inf o rm a tie i 

This digital signature is OK, 

Signer information 
N flme: |Realtek. Semiconduc 

E-mail: 


Not available 


Signing time: 


Countersignatures 


25 aHBapq 2010 


Name of signer: E -mail address: 

VeriSign Time St... Not available 






Certificate 


I 


General 


Details 


Certification Path 




Certificate Information 


This certificate is intended for the foliowing purpose(s): 

■ Ensures software came from software publisher 

■ Protects software from alteration after publication 


c Refer to the certification authority's statement for details. 


Issued to; Realtek Semiconductor Corp 


Issued by: VeriSign Class B Code Signing 2004 CA 


Valid from 15. OB. 2007 to 12. 06. 2010 


Install Certificate... 


Issuer Statement 


Learn more about certificates 


OK 


OK 


Files mrxnet.sys and mrxcls.sys were also added to virus databases of VirusBIokAda as 
Ftootkit.TmpHider 

(http://www.virustotal.com/ru/analisis/0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812 

f0b5f9c709198-1278584497) and SScope.Rookit.TmpHider.2 

(http://www.virustotal.eom/ru/analisis/1635ec04f069ccc8331 dOI fdf31132a4bc8f6fd3830ac94739df9 

5ee093c555c-1278661251 ) accordingly. 

2. Two files (oem6c.pnf and oem7a.pnf, content of which is encrypted) are placed in the 
%SystemFtoot%\inf directory. 


Malware gets execution right after system has been infected, additional system reboot isn’t needed. 


Driver-filter hides ~wtr4132.tmp and ~wtr4141.tmp files and appropriate Ink-files. That’s why users 
may even not notice that there are extra files on their USB-devices. Vba32 AntiRootkit (htto://anti- 
virus.bv/en/beta.shtml) detects hidden modules in the following way: 
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3. Also rootkit runs additional threads in the system processes, at the same time it hides 
modules which started the threads. AntiRootkit gmer detects these anomalies in the following way: 



4. 


Rootkit installs interceptions in system processes: 









































. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tClose + 6 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tClose + B 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tCreateS ection + G 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tCreateS ection + B 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tM apViewO fS ection + G 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tM apViewO fS ection + B 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tO penFile + 6 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tO penFile + B 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tQ ueryAttributesFile + G 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tQ ueryAttributesFile + B 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tQ ueryS ection + G 

. text C: \Windows\system32\lsass. exe[304] ntdll. dll! N tQ ueryS ection + B 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tClose + 6 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tClose + B 

.text C:\Windows\system32\svchost. exe[732] ntdll. dll! N tCreateS ection + G 

.text C:\Windows\system32\svchost. exe[732] ntdll. dll! N tCreateS ection + B 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tM apViewO fS ection + G 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tM apViewO fG ection + B 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tO penFile + 6 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tO penFile + B 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tQ ueryAttributesFile + G 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tQ ueryAttributesFile + B 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tQ ueryS ection + G 

. text C: \Windows\system32\svchost. exe[732] ntdll. dll! N tQ ueryS ection + B 


76DD4936 4 Bytes [50,00,09,76] 
7GDD493B 1 Byte [02] 

7GDD4B5G 4 Bytes [48,00,09,76] 
76DD4B5B 1 Byte [02] 

7GDD509G 4 Bytes [44,00,09,76] 
7GDD509B 1 Byte [02] 

76005146 4 Bytes [4C, 00, 09, 76] 
7GDD514B 1 Byte [02] 

7GDD53AG 4 Bytes [54,00,09,76] 
76DD53AB 1 Byte [02] 

7GDD55FG 4 Bytes [5B, 00, 09, 76] 
7GDD55FB 1 Byte [02] 

76004936 4 Bytes [50,00,09,76] 
76DD493B 1 Byte [02] 

76DD4B56 4 Bytes [4B, 00, 09, 76] 
76DD4B5B 1 Byte [02] 

76005096 4 Bytes [44,00,09,76] 
76DD509B 1 Byte [02] 

76005146 4 Bytes [4C, 00, 09, 76] 
7600514B 1 Byte [02] 

76DD53A6 4 Bytes [54,00,09,76] 
76DD53AB 1 Byte [02] 

76DD55F6 4 Bytes [50,00,09,76] 
76DD55FB 1 Byte [02] 


Thus, current malware should be added to very dangerous category cause there is a risk of virus 
epidemic at the current moment. The reasons are: 


1. Vulnarability of the operation system that hasn’t been still closed is used for propagation. 
Malware starts to hide itself right after system has been infected; 


2. Drivers that have digital signature are used for hiding. That is the reason why it is difficult to 
identify them independently since antirootkits are misled. Also detection of these drivers by 
antivirus companies is absent for a long time, probably because of screening these examples out 
on the primary stage of processing binary files in incoming flow. 


After we have added a new records to the anti-virus bases we are admitting a lot of detections of 
Rootkit.TmpHider and SScope.Rookit.TmpHider.2 all over the world. 































